A Beautiful Journey Memory Error Protections The Aftermath Conclusions A Beautiful Journey Lorenzo Cavallaro <Lorenzo.Cavallaro@rhul.ac.uk> Information Security Group Royal Holloway, University of London Jan, 26 2012 Lorenzo Cavallaro A Beautiful Journey 1/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Who Am I? Post-doc researcher, VU Amsterdam, working with: (Jan 2010–Dec 2011) Prof. Andy Tanenbaum (OS dependability) Prof. Herbert Bos (memory errors, malware analysis, and taint analysis) Post-doc researcher, UC at Santa Barbara, working with: (Apr 2008–Jan 2010) Prof. Giovanni Vigna and Prof. Christopher Kruegel (malware analysis and detection) Visiting PhD student, Stony Brook University, working with: (Sep 2006–Feb 2008) Prof. R. Sekar (memory errors protections, taint analysis, malware analysis) Lorenzo Cavallaro A Beautiful Journey 2/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Who Am I? Post-doc researcher, VU Amsterdam, working with: (Jan 2010–Dec 2011) Prof. Andy Tanenbaum (OS dependability) Prof. Herbert Bos (memory errors, malware analysis, and taint analysis) Post-doc researcher, UC at Santa Barbara, working with: . . . Since Jan 2012, a happy Lecturer in the ISG :-) (Apr 2008–Jan 2010) Prof. Giovanni Vigna and Prof. Christopher Kruegel (malware analysis and detection) Visiting PhD student, Stony Brook University, working with: (Sep 2006–Feb 2008) Prof. R. Sekar (memory errors protections, taint analysis, malware analysis) Lorenzo Cavallaro A Beautiful Journey 2/52
A Beautiful Journey
A Beautiful Journey Memory Error Protections The Aftermath Conclusions (Some of the) Threats on the Internet Mallory Attacks Home banking, e- The Internet commerce, e-mail, www, . . . Bob Lorenzo Cavallaro A Beautiful Journey 4/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions (Some of the) Threats on the Internet Mallory Attacks NIDS HIDS Home banking, e- The Internet commerce, e-mail, www, . . . Protocol Verification Bob (Offense) Disarming Memory errors Lorenzo Cavallaro A Beautiful Journey 4/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions (Some of the) Threats on the Internet Mallory Attacks NIDS MalWeb HIDS Home banking, e- The Internet commerce, e-mail, www, . . . Protocol Verification Bob (Offense) Disarming Phishing, C&C, FastFlux, Drive Memory errors by Download Lorenzo Cavallaro A Beautiful Journey 4/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions (Some of the) Threats on the Internet Mallory Attacks Malware Analysis/Detection NIDS MalWeb HIDS Home banking, e- Taint Analysis Limits The Internet commerce, e-mail, www, . . . Protocol Verification Bob (Offense) Disarming Phishing, C&C, FastFlux, Drive Memory errors by Download Lorenzo Cavallaro A Beautiful Journey 4/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions (Some of the) Threats on the Internet Mallory Attacks Malware Analysis/Detection NIDS MalWeb HIDS Home banking, e- Taint Analysis Limits Pretty messy, huh ?! The Internet commerce, e-mail, www, . . . Protocol Verification Bob (Offense) Disarming Phishing, C&C, FastFlux, Drive Memory errors by Download Lorenzo Cavallaro A Beautiful Journey 4/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Timeline of my research Botnet Analysis & Detection Network Intrusion Detection Systems Taint Analysis on Benign & (Limits on) Malicious Software Host Intrusion Detection Systems Memory Error Protections (Offense) Disarming (Diversification & Bounds Checking) 1999 2000 2005 2006 2007 2008 2009 2010 2011 2012 Trusted Computing OS Dependability & (Protocol Verification) Hardware-supported Virtualization Lorenzo Cavallaro A Beautiful Journey 5/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Timeline of my research Botnet Analysis & Detection Network Intrusion Detection Systems Taint Analysis on Benign & (Limits on) Malicious Software Host Intrusion Detection Systems Memory Error Protections (Offense) Disarming Diversification (& Bounds Checking) 1999 2000 2005 2006 2007 2008 2009 2010 2011 2012 Trusted Computing OS Dependability & (Protocol Verification) Hardware-supported Virtualization Lorenzo Cavallaro A Beautiful Journey 5/52
Diversified Process Replicæ
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Memory Error A memory error occurs when an object accessed using a pointer expression is different from the one intended (the referent) Out-of-bounds access (e.g., buffer overflow) Access using a corrupted pointer (e.g., buffer overflow, format bug) Uninitialized pointer access, dangling pointers, . . . Memory error exploitation generally relies on Data corruption Gathering information on memory location addresses Ability to execute code (sometimes) Lorenzo Cavallaro A Beautiful Journey 7/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Memory Error A memory error occurs when an object accessed using a pointer expression is different from the one intended (the referent) Out-of-bounds access (e.g., buffer overflow) Access using a corrupted pointer (e.g., buffer overflow, format bug) Uninitialized pointer access, dangling pointers, . . . Memory error exploitation generally relies on Data corruption Gathering information on memory location addresses Ability to execute code (sometimes) Lorenzo Cavallaro A Beautiful Journey 7/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Memory Error A classic Code Pointer Corruption High Addresses ✞ i n t foo ( char ∗ i n p u t ) { char l b u f [ 6 4 ] ; input i n t i ; saved return address saved frame pointer f o r ( i = 0; i < s t r l e n ( i n p u t ) ; i ++) Stack Growth l b u f [ i ] = i n p u t [ i ] ; lbuf[63] lbuf[62] return 0; ✝ ✆ ✡ lbuf[0] Low Addresses Lorenzo Cavallaro A Beautiful Journey 8/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Memory Error The exploit Well-known way to subvert/divert a legal process execution flow Usually overwrite control-data with absolute known values: Saved return addresses Application-specific function pointers “Other” function pointers (e.g., GOT , .dtors , C++ virtual pointers) Not only related to control flow hijacking. . . Lorenzo Cavallaro A Beautiful Journey 9/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Memory Error The exploit Well-known way to subvert/divert a legal process execution flow Usually overwrite control-data with absolute known values: Saved return addresses Application-specific function pointers “Other” function pointers (e.g., GOT , .dtors , C++ virtual pointers) Not only related to control flow hijacking. . . (buffer overflow, format string bug, integer overflow, etc) Lorenzo Cavallaro A Beautiful Journey 9/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Artificial Diversity Biological Diversity Plays a crucial role for the survivability of every biological species Memory error exploits rely on using well-known memory addresses ⇒ Make systems appear different ! Address Space Layout Randomization (ASLR) Fine-grained Address Space Randomization (ASR) Instruction Set Randomization (ISR) Lorenzo Cavallaro A Beautiful Journey 10/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Artificial Diversity Biological Diversity Plays a crucial role for the survivability of every biological species Memory error exploits rely on using well-known memory addresses ⇒ Make systems appear different ! Address Space Layout Randomization (ASLR) Fine-grained Address Space Randomization (ASR) Instruction Set Randomization (ISR) Lorenzo Cavallaro A Beautiful Journey 10/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Artificial Diversity Examples: ASLR & Fine-grained ASR 0x0 0x0 0x0 0x08048000 0x08048000 0x08048000 0x080XXXXX text text text data data data bss bss heap heap bss heap 0x40000000 0x40000000 0x40000000 mmap area 0x40XXX000 0x40XXX000 mmap area mmap area stack stack 0xbfXXXXXX 0xbfXXXXXX stack unmapped unmapped 0xbfffffff 0xbfffffff 0xbfffffff Lorenzo Cavallaro A Beautiful Journey 11/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Artificial Diversity Limitations Such forms of artificial diversity Require high entropy Rely on keeping secrets . . . Disclosed by information leakage attacks . . . Defeated by brute forcing attacks Hard to counteract Partial memory overwriting attacks Most arbitrary data corruption Provides probabilistic protection Lorenzo Cavallaro A Beautiful Journey 12/52
A Beautiful Journey Memory Error Protections The Aftermath Conclusions Artificial Diversity Limitations Such forms of artificial diversity Require high entropy Rely on keeping secrets . . . Disclosed by information leakage attacks . . . Defeated by brute forcing attacks Hard to counteract Partial memory overwriting attacks Most arbitrary data corruption Provides probabilistic protection Lorenzo Cavallaro A Beautiful Journey 12/52
Recommend
More recommend